Index: net/http/transport_security_state.h |
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h |
index 14c080a4b65ae6e72f4a37f965dfa8974fc89dd1..11bbe8193b012e0ca50774cd3fc97d8235063651 100644 |
--- a/net/http/transport_security_state.h |
+++ b/net/http/transport_security_state.h |
@@ -198,6 +198,23 @@ class NET_EXPORT TransportSecurityState |
GURL report_uri; |
}; |
+ // An ExpectStapleState describes a site that expects valid OCSP information |
+ // to be stapled to its certificate on every connection. |
+ class NET_EXPORT ExpectStapleState { |
+ public: |
+ ExpectStapleState(); |
+ ~ExpectStapleState(); |
+ |
+ // The domain which matched during a search for this Expect-Staple entry |
+ std::string domain; |
+ |
+ // The URI reports are sent to if a valid OCSP response is not stapled |
+ GURL report_uri; |
+ |
+ // True if subdomains are subject to this policy |
+ bool include_subdomains; |
+ }; |
+ |
// An interface for asynchronously sending HPKP violation reports. |
class NET_EXPORT ReportSender { |
public: |
@@ -228,6 +245,19 @@ class NET_EXPORT TransportSecurityState |
virtual ~ExpectCTReporter() {} |
}; |
+ // An interface for building and asynchronously sending reports when a site |
+ // expects to have sent a valid OCSP staple during a TLS handshake, but it |
+ // wasn't supplied. |
+ class NET_EXPORT ExpectStapleReporter { |
+ public: |
+ virtual void OnExpectStapleFailed(const net::HostPortPair& host_port_pair, |
+ const GURL& report_uri, |
+ const net::SSLInfo& ssl_info) = 0; |
+ |
+ protected: |
+ virtual ~ExpectStapleReporter() {} |
+ }; |
+ |
// Indicates whether or not a public key pin check should send a |
// report if a violation is detected. |
enum PublicKeyPinReportStatus { ENABLE_PIN_REPORTS, DISABLE_PIN_REPORTS }; |
@@ -261,6 +291,8 @@ class NET_EXPORT TransportSecurityState |
void SetExpectCTReporter(ExpectCTReporter* expect_ct_reporter); |
+ void SetExpectStapleReporter(ExpectStapleReporter* expect_staple_reporter); |
+ |
// Clears all dynamic data (e.g. HSTS and HPKP data). |
// |
// Does NOT persist changes using the Delegate, as this function is only |
@@ -367,6 +399,10 @@ class NET_EXPORT TransportSecurityState |
const HostPortPair& host_port_pair, |
const SSLInfo& ssl_info); |
+ // TODO |
+ void CheckExpectStaple(const HostPortPair& host_port_pair, |
+ const SSLInfo& ssl_info); |
+ |
private: |
friend class TransportSecurityStateTest; |
FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly); |
@@ -447,6 +483,14 @@ class NET_EXPORT TransportSecurityState |
bool GetStaticExpectCTState(const std::string& host, |
ExpectCTState* expect_ct_result) const; |
+ // Returns true and updates |*expect_staple_result| iff there is a static |
+ // (built-in) state for |host| with expect_staple=true, or if |host| is a |
+ // subdomain of another domain with expect_staple=true and |
+ // include_subdomains_for_expect_staple=true. |
+ bool GetStaticExpectStapleState( |
+ const std::string& host, |
+ ExpectStapleState* expect_staple_result) const; |
+ |
// The sets of hosts that have enabled TransportSecurity. |domain| will always |
// be empty for a STSState or PKPState in these maps; the domain |
// comes from the map keys instead. In addition, |upgrade_mode| in the |
@@ -467,6 +511,11 @@ class NET_EXPORT TransportSecurityState |
ExpectCTReporter* expect_ct_reporter_; |
+ // True if static expect-staple state should be used. |
+ bool enable_static_expect_staple_; |
+ |
+ ExpectStapleReporter* expect_staple_reporter_; |
+ |
// Keeps track of reports that have been sent recently for |
// rate-limiting. |
ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>> |